The United States federal government recently announced a date extension for compliance of the “Red Flag Rule”, which mandates the establishment of a formal, written Identity Theft Prevention Program. The initial date for compliance was June 1, 2010, but that date has now been extended to December 31, 2010.
As many as nine million Americans have their identities stolen each year. Identity thieves drain accounts, damage credit and hinder an individual’s ability to obtain basic necessities such as housing and medical services. The cost to both businesses and individuals – left with unpaid bills and damaged credit – can be staggering.
In October 2007, the federal government enacted legislation aimed at reducing risk factors to prevent or reduce the occurrence of identity thefts each year. The regulations are part of the Fair & Accurate Credit Transactions Act (FACTA) of 2003 and required to be enforced by the Federal Trade Commission beginning December 31, 2010. The “Red Flag Rule,” as it is commonly referred to, requires any business subject to these regulations to establish a formal, written Identity Theft Prevention Program focused on detecting “red flags” of possible identity theft in a business’s daily operations. The rules also require companies to take steps to prevent the crime and mitigate the damage it inflicts. The Red Flags Rule further expands a company’s risk management plan and mandates a formal, written and revisable plan be implemented by December 31, 2010.
What is a red flag?
They are potential patterns, practices or activities indicating the possibility of identity theft. The Federal Trade Commission lists the following as examples of red flags: alerts, notifications and warnings from a consumer reporting agency in response to a credit check; a credit application with inaccurate or incomplete information; suspicious documentation, such as inconsistent personal information, address changes or nonexistent Social Security numbers.
Rule requirements
The Rule requires organizations to have “reasonable policies and procedures in place” to identify, detect and respond to identity theft red flags. Companies should have defined processes to deal with notifications of identity theft that are reasonable for the degree of risk within the organization. Additionally, companies must review and update their program periodically, as well as have it properly administered.
Are you required to comply?
Any organization accepting payment on credit and/or extending credit is expected to comply with the rule, specifically healthcare organizations, non-profits, retailers, automobile dealerships, universities, utility companies and banks, to name a few. If your organization is extending credit to others, you may be required to comply.
Penalties for noncompliance
Maximum penalties are $3,500 per violation of the Fair Credit Reporting Act, which includes the Red Flags Rule. The maximum statutory penalty per violation for certain Federal Trade Commission rules that are enforced under the FTC Act can be up to $16,000, and continued violation allows the FTC to file a lawsuit in federal court, increasing penalties for each violation and equitable relief.
In addition to the civil monetary penalties described above, consequences of noncompliance may also include regulatory enforcement action and the potential for private-plaintiff lawsuits under state laws where violation of federal rules itself is a violation of state laws. Perhaps even more important to consider is that noncompliance with the Red Flags Rule negatively impacts a company’s brand and reduces the potential for long term customer loyalty. These intangible penalties have immeasurable costs.
How MCM can help
We can assist in performing a risk assessment, development of policies and procedures, creation of a Red Flags Program and preparation of annual reports, as well as train employees on the rule and its impact to the organization. Through the implementation of these services, MCM also assists with securing your company’s positive brand as one that is committed to your customers’ identity security.
Let us help you create an effective, compliant program. Contact J. Todd Rosenbaum, CPA , todd.rosenbaum@mcmcpa.com or Kelley Miller, CISA, kelley.miller@mcmcpa.com today!
